diff --git a/go/core/cmd/controller/auth_mode_test.go b/go/core/cmd/controller/auth_mode_test.go
index 2963f8ea4..8acbffa4f 100644
--- a/go/core/cmd/controller/auth_mode_test.go
+++ b/go/core/cmd/controller/auth_mode_test.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"strings"
 	"testing"
 
 	authimpl "github.com/kagent-dev/kagent/go/core/internal/httpserver/auth"
@@ -32,7 +33,10 @@ func TestGetAuthenticator(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			authenticator := getAuthenticator(tt.authCfg)
+			authenticator, err := getAuthenticator(tt.authCfg)
+			if err != nil {
+				t.Fatalf("getAuthenticator() unexpected error: %v", err)
+			}
 			gotType := getTypeName(authenticator)
 			if gotType != tt.wantType {
 				t.Errorf("getAuthenticator() = %s, want %s", gotType, tt.wantType)
@@ -41,14 +45,27 @@ func TestGetAuthenticator(t *testing.T) {
 	}
 }
 
-func TestGetAuthenticatorPanicsOnUnknownMode(t *testing.T) {
-	defer func() {
-		r := recover()
-		if r == nil {
-			t.Fatal("expected panic for unknown auth mode, got none")
+func TestGetAuthenticatorErrorsOnUnknownMode(t *testing.T) {
+	const invalidMode = "proxy"
+	authenticator, err := getAuthenticator(struct{ Mode, UserIDClaim string }{invalidMode, ""})
+	if err == nil {
+		t.Fatal("expected error for unknown auth mode, got nil")
+	}
+	if authenticator != nil {
+		t.Errorf("expected nil authenticator on error, got %T", authenticator)
+	}
+	// The error message must surface the invalid mode and the supported values
+	// so misconfigured deployments get an actionable message rather than just a
+	// generic failure.
+	msg := err.Error()
+	if !strings.Contains(msg, invalidMode) {
+		t.Errorf("error message %q does not include the invalid mode %q", msg, invalidMode)
+	}
+	for _, valid := range []string{"unsecure", "trusted-proxy"} {
+		if !strings.Contains(msg, valid) {
+			t.Errorf("error message %q does not list supported mode %q", msg, valid)
 		}
-	}()
-	getAuthenticator(struct{ Mode, UserIDClaim string }{"proxy", ""})
+	}
 }
 
 func getTypeName(v auth.AuthProvider) string {
diff --git a/go/core/cmd/controller/main.go b/go/core/cmd/controller/main.go
index 576dee94a..b2d741ab2 100644
--- a/go/core/cmd/controller/main.go
+++ b/go/core/cmd/controller/main.go
@@ -17,6 +17,8 @@ limitations under the License.
 package main
 
 import (
+	"fmt"
+
 	"github.com/kagent-dev/kagent/go/core/internal/httpserver/auth"
 	"github.com/kagent-dev/kagent/go/core/pkg/app"
 	pkgauth "github.com/kagent-dev/kagent/go/core/pkg/auth"
@@ -31,7 +33,10 @@ import (
 func main() {
 	authorizer := &auth.NoopAuthorizer{}
 	app.Start(func(bootstrap app.BootstrapConfig) (*app.ExtensionConfig, error) {
-		authenticator := getAuthenticator(bootstrap.Config.Auth)
+		authenticator, err := getAuthenticator(bootstrap.Config.Auth)
+		if err != nil {
+			return nil, err
+		}
 		return &app.ExtensionConfig{
 			Authenticator:  authenticator,
 			Authorizer:     authorizer,
@@ -41,13 +46,13 @@ func main() {
 	}, nil)
 }
 
-func getAuthenticator(authCfg struct{ Mode, UserIDClaim string }) pkgauth.AuthProvider {
+func getAuthenticator(authCfg struct{ Mode, UserIDClaim string }) (pkgauth.AuthProvider, error) {
 	switch authCfg.Mode {
 	case "trusted-proxy":
-		return auth.NewProxyAuthenticator(authCfg.UserIDClaim)
+		return auth.NewProxyAuthenticator(authCfg.UserIDClaim), nil
 	case "unsecure":
-		return &auth.UnsecureAuthenticator{}
+		return &auth.UnsecureAuthenticator{}, nil
 	default:
-		panic("unknown auth mode: " + authCfg.Mode + " (valid modes: unsecure, trusted-proxy)")
+		return nil, fmt.Errorf("unknown auth mode %q (valid modes: unsecure, trusted-proxy)", authCfg.Mode)
 	}
 }